VPN users accessing DMZ Servers with IP Static NAT to Inside

mikecastdogg · ‎09-10-2007

I have static nat on inside to the VPN so that internal clients can access the VPN. The problen is that VPN clients and L2L conections cannot access the dmz. Any thoughts?

gfullage · ‎09-10-2007

You probably have something like this in your config:

access-list nonat permit ip

nat (inside) 0 access-list nonat

This stops your VPN traffic from being NAT'd so that it'll match your crypto access-list correctly. This is only doing it for traffic coming from the inside interface though. For VPN users to get to the DMZ interface you need the same sort of thing like this:

access-list nonatdmz permit ip

nat (dmz) 0 access-list nonatdmz

mikecastdogg · ‎09-11-2007

Is the Static (dmz, inside) statemnet still going to screw me up? I still need internal/vpn clients to use an internal address for the dmz server.

acomiskey · ‎09-11-2007

Mike,

No it will not. As Glenn has posted, you can use nat exemption for the dmz to vpn clients. This is first in the nat order of operations and will not affect your (dmz,inside) destination nat.

mikecastdogg · ‎09-11-2007

Thank you both. i will try this in my lab.